In 2021, Securitas, a multinational security company based in Sweden, suffered a severe data breach exposing 1.5 million files, including sensitive personal and company information.
What happened
According to SafetyDetectives Cybersecurity Team, “One of the company’s Amazon S3 buckets was left open, exposing over 1 million files,” or about 3TB of data. The compromised data included employee personal identifiable information (PII) and sensitive company data of “at least four airports in Colombia and Peru:
- El Dorado International Airport (Bogota D.C, COL),
- Alfonso Bonilla Aragón International Airport (Valle del Cauca, COL),
- José María Córdova International Airport (Antioquia, COL), and
- Aeropuerto Internacional Jorge Chávez (Lima, PE).”
SafetyDetectives says, "TSecuritas left its Amazon S3 bucket open and accessible, without any authentication procedures in place." Subsequently, airport employees' PII and other sensitive business data were not protected.
The leaked files included images of employee ID cards, images of airplanes, and even GPS coordinates and device data embedded in photo files, and logistical information like "photos of fueling lines, luggage loading, and aircraft operations."
Moreover, the breach, which affected airports in Colombia and Peru, could have also impacted additional clients and employees across Latin America and beyond.
A closer look at the leaked data
The exposed information ranged from images of airport security staff ID cards to unmarked photos of airport operations, including "photos of employees, photos of planes, photos of fueling lines, and photos of luggage being loaded/unloaded."
Additionally, the images carried Exchangeable Image File Format (EXIF) data, which included sensitive metadata like "device models (of the cameras used), GPS locations of photos, time, and date."
If misused by malicious actors, this data exposure could be “extremely dangerous with potentially devastating consequences..."
The potential risks of the data exposure
The impact of the data breach could have been catastrophic if exploited by cybercriminals. The exposed data from the S3 bucket threatened the privacy of airport employees and their security.
The leaked ID photos could enable criminals to impersonate legitimate airport staff, gaining unauthorized access to restricted areas like luggage-loading zones or planes. The exposure also included mobile apps used by Securitas security personnel, which, though not directly linked to sensitive data, could help criminals get further insight into security protocols, potentially using these details to create counterfeit IDs and access restricted areas or even conduct physical attacks on airport staff.
The legal and financial fallout
SafetyDetectives noted that the company’s failure to secure its cloud infrastructure could violate several data protection regulations, including those enforced by the Autoridad Nacional de Protección de Datos Personales (ANPDP) in Peru and the Superintendent of Industry and Commerce (SIC) in Colombia.
The ANPDP could impose fines ranging from US$61,000 to US$122,000, and the SIC could levy penalties of up to US$400,000 for breaches of data protection laws.
If the data breach had occurred in the U.S., Securitas would face severe legal and financial penalties under multiple federal and state data protection laws. For example:
- The Federal Trade Commission (FTC) could levy fines, require corrective actions, or impose ongoing compliance monitoring.
- If the exposed data included protected health information (PHI), the breach could violate the Health Insurance Portability and Accountability Act (HIPAA), resulting in penalties from $100 to $50,000 per violation.
- If it impacted airport operations and security, the Department of Homeland Security (DHS) and the Transportation Security Administration (TSA) could assess additional penalties and mandate operational changes to mitigate risks to national security.
- If the exposed data belonged to California residents, Securitas could face penalties under the California Consumer Privacy Act (CCPA), with civil fines of $2,500 per violation and $7,500 for intentional violations. In addition, affected individuals could pursue statutory damages of $100–$750 per consumer per incident.
- Under New York's Stop Hacks and Improve Electronic Data Security (SHIELD) Act, violations could result in civil penalties of up to $250,000 or more if negligence is proven.
- States like Massachusetts, which require entities to implement a written information security program (WISP), could levy fines for noncompliance.
- Victims of identity theft or financial fraud could sue for damages and settlements could reach millions, like Equifax’s $700 million settlement.
When combining these regulatory fines, class-action settlements, and costs for remediation and compliance, the total legal and financial impact could easily reach tens or even hundreds of millions of dollars.
Related: Higher HIPAA penalties announced
What we can learn
Use secure cloud storage configuration
Integrating a HIPAA compliant storage solution could have helped prevent the exposure of sensitive data. Solutions like Dropbox Business or Google Workspace Business Plans provide the necessary security features, including encryption, access controls, and audit trails, so files remain protected even in a shared environment. These tools also help prevent unauthorized access and create a clear record of who interacts with the data.
Data protection should be a priority for all industries
While the data leak involved employees and clients from the aviation sector, it could have impacted other industries, as Securitas provides security services to a wide range of sectors.
So, companies that handle sensitive data (whether for government agencies, private companies, or large infrastructure providers) must improve their data protection measures.
Response delays can exacerbate the impact
Companies must have incident response protocols and immediately respond to data breaches to prevent the worst outcomes.
EXIF data can be a hidden security risk
The exposed EXIF data in the photos, including GPS coordinates and device information, increases the risk of a breach when storing images, especially when the meta-information could be used to plan targeted attacks or gain insights into sensitive operations.
Regulatory compliance is non-negotiable
Companies must comply with local and international data protection laws to avoid legal ramifications.
Ongoing awareness and training
Employees and security teams must undergo regular education on the risks of improper data handling and the steps they can take to mitigate them.
FAQs
Do airports need to comply with HIPAA?
Airports are not typically subject to HIPAA, but healthcare providers or vendors working at airports may be. In that case, they must sign a business associate agreement (BAA) with the HIPAA-covered entity.
Read also: When is a non-healthcare company a covered entity?
Who enforces HIPAA penalties?
The Department of Health and Human Services (HHS) enforces HIPAA penalties. The HHS assesses the severity of penalties and adjusts for inflation to make sure they stay in force over time.
Go deeper: Who is responsible for enforcing HIPAA?
How does HIPAA protect electronic health information?
HIPAA requires covered entities to safeguard patients’ protected health information (PHI) from unauthorized access or disclosure, ultimately securing electronic health data.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.